On October 6th 2015, the European Court of Justice (CJEU) cited Snowden and NSA spying, ruling to invalidate a long-established Safe Harbor agreement between Europe and the U.S. which allowed the transfer and processing of data between servers in both countries.
So what this mean for giant internet companies, and more importantly what does it mean for your business?
What was the Safe Harbor agreement?
European privacy law does not allow the transfer of its citizens’ data outside of the EU, unless the data is carried to another location deemed to have “adequate” privacy protection policies.
The Safe Harbor agreement that was in place with the European Court and the U.S. was entirely based on a self-certification program of the American companies, tended to facilitate the transfer of their EU customers’ personal data to US-based servers and data centers.
Tech giants and other large companies, like Facebook, who were previously self-certified under Safe Harbor have since announced that they would move quickly to modify clauses to protect the EU data and adhere to the privacy policies under this new law.
What happens now?
The EU privacy regulator is set to replace Safe Harbor at the end of January. The new pact will likely be a restricted version of the data transfer process.
- European individuals can now sue any company they believe doesn’t warrant an adequate level of protection via the EU Directive 95/46/CE. This means any EU company who transfers personal data to a US service provider is automatically at risk (eg. accounting, CRM, procurement, HR software, cloud hosting, online marketing and client data collection).
Each EU Member State has been assigned the task of determining whether to suspend data transfers to the U.S., given that other transfer measures may have been put in place by the companies like “Binding Corporate Rules” or “EU Model Clauses”:
- After the European Court of Justice’s Schrems v Facebook judgment, o of the German Data Protection Authorities (in the Schleswig-Holstein Länder) has declared that any and all data protection workarounds for data transfer to the US are going to be illegal. They have also warned businesses and governmental bodies that they may be fined up to €300,000 for transfer of personal data to the US “without legal basis”. Nevertheless, this position only concerns one of the existing German DPAs (there is one per Länder).
- The United Kingdom’s Information Commissioner’s Office (ICO – the UK DPA) stated that “businesses that use Safe Harbor will need to review how they ensure data transferred to the US is done so in line with the law.” Companies, especially those in highly regulated industries like finance, have been seen flocking to local solution providers since the ruling. British SaaS provider Really Simple Systems has already seen an influx of Salesforce customers jump ship.
- The Euorpean DPAs, including the French Commission Nationale de l’Informatique et des Libertés (CNIL) met on October 15th to analyse the consequences of the CJEU’s decision dated October 6, 2015. They invalidated Safe Harbor and adopted a common statement, requesting the European institutions and regulatory bodies to find legal and technical solutions by the end of January 2016. We should expect more news soon.
My company also operates in the EU, am I impacted by the invalidation of the EU Safe Harbor agreement?
As an email service provider, we can’t offer legal advice, so we do encourage you to consult your attorney for a full understanding of how this will affect your business and necessary steps to take. In the meantime, we’ve put together some general guidelines to help you identify where you might potentially be impacted and how to seek regulatory compliance if needed.
- According to EU/EEA, you’ll first need to determine what type of data you collect. Your organization is considered the data controller and you remain responsible for all data you collect and how it’s transferred. Before you take action and put new procedures in place, create a map of all personal data you are currently collecting from your customers or prospects and where the data is being sent, stored and/or processed.
- Identify any ‘personal data’ collected by you or any third parties affiliated with your business. With the rise of cloud software and more data being hosted by third party service providers, there’s a big chance you may be sending data to the US.
- If your U.S. service providers receive, store and/or process any “personal data” from EU residents without proper data protection agreements in place, you should get a new contractual agreement that includes at least the EU Model Clauses or other methods which allow you to legally transfer data from the EU to the U.S. If your service provider or supplier was Safe Harbor certified, they are likely to draw up new agreements and terms of business to make sure they are covered. Be sure to review these contracts carefully with legal consult and not to rush into a quick fix. Follow up with your national regulator for their advice.
- If you don’t have an explicit agreement with your U.S.-based service provider, the best alternative is to probably migrate to a EU-based service provider as soon as possible, to limit any risk exposure and legal liability.
- Finally, it is useful to recall the basic email marketing best practices. You should always be keeping these in mind, bu they are also mandatory under European law:
- Unsolicited mass email sent by a company is considered spam and can be subject to legal action.
- Companies must collect explicit consent (through opt-in) before using customer data for marketing purposes. This includes data collected through interaction with email, websites and apps and more. For example, if you want to send a personalized email based on your contacts’ location, you won’t be allowed to do so without their consent. EU based organizations should protect themselves by updating their language during the email opt-in process to include permission to use this information to curate targeted email content.
What about Mailjet?
In rare cases, Mailjet may have to transfer some data to U.S.-hosted services, for analytics or to fight spam for instance. In these circumstances in the past, we didn’t just use Safe Harbor certification, but also requested firm commitment that these receiving services would comply with European rules, through binding DPAs (Data Protection Agreements) including European model clauses.
If you’re already a Mailjet customer, your data and those of your own customers or recipients are safe. The CJEU’s invalidation of the Safe Harbor agreement won’t impact the way you’re currently using our services. Rest easy and send confidently.
If you’re not currently using Mailjet, this CJEU decision might be a good opportunity for you to revisit your email strategy, taking a deeper look at how your customer data is currently being protected. Contact us if you’d like to chat more!
Update, 14th April: The EU and the US have been working together to create a new policy that will replace Safe Harbor. However, the new agreement, Privacy Shield, has not been finalised yet and both Europe and the US have still got work to do to ensure they come up with a new framework to ensure the protection of personal information on data transfers.
Is your business or organization affected by the invalidation of Safe Harbor? Do you have any tips to share on transferring data and adjusting to new regulations? Discuss with us below.